b'               UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                          WASHINGTON, DC 20436\n\nDecember 05, 2013                                OIG-ML-14-04                             IG-LL-020\n\nCommissioners,\n\nThe Commission submitted its Annual Federal Information Security Management Act (FISMA) report on\nDecember 2, 2013. The report contains more than 100 questions about the information security\nprogram here at the USITC. We answered 48 of the questions with a \xe2\x80\x9cno,\xe2\x80\x9d meaning that the program is\nmissing 48 components. The Chairman requested we prepare this Management Letter to explain the\nimplications for the USITC and what actions can be taken to improve information security.\n\nThe FISMA report assesses the maturity of an agency\xe2\x80\x99s information security program; it covers a wide\nrange of program components. As with managing any task, it is important to focus on doing the right\nwork and to handle the most important things first. Because of the large number of \xe2\x80\x9cno\xe2\x80\x9d answers; I am\nconcerned that the Commission may focus on too many things and not on the most important things.\nGuidance from DHS (Attachment 1) identifies the twenty most important security controls, the top four\nof which are the only controls rated as \xe2\x80\x9cvery high\xe2\x80\x9d for the mitigation of attacks by the National Security\nAgency (NSA).\n\nThese controls are:\n\n    1. Inventory of Authorized and Unauthorized Devices:\n           \xe2\x80\xa2 Know the devices on your network.\n    2. Inventory of Authorized and Unauthorized Software:\n           \xe2\x80\xa2 Know the software on your network.\n    3. Secure Configurations for Hardware & Software on Laptops, Workstations, and Servers:\n           \xe2\x80\xa2 Secure systems by default.\n    4. Continuous Vulnerability Assessment and Remediation:\n           \xe2\x80\xa2 Monitor and patch continuously.\n\x0cThe Office of Inspector General has audited each of these areas, including patch management, which\nwas the subject of our latest report (Attachment 2). This report identified that the Commission did not\nhave an effective patch management program. The data from this report was the basis for many of the\n\xe2\x80\x9cno\xe2\x80\x9d answers on the FISMA report, and demonstrated that the Commission was not implementing the\nfour critical controls. Therefore the Commission is not effectively managing the information security of\nits network.\n\nTo assure the security of its network, the Commission should focus on the top four NSA Critical\nControls.\n\nRegarding the first control, we issued a recommendation in our recent patching audit report, \xe2\x80\x9cThat the\nCIO shrink the network to facilitate at least weekly patch scanning of all hosts.\xe2\x80\x9d This recommendation is\npending a management decision. Note that the OIG first made this recommendation in a 2011 audit\nreport. (Management decided to not implement this recommendation.)\n\nFor the second control, the most effective means to manage the software on a network is through use\nof a technology known as \xe2\x80\x9cwhite listing\xe2\x80\x9d which determines the specific software that is permitted to run\non a network, and denies all other software from being executed. Therefore, we recommend the\nfollowing:\n\nRecommendation 1: The Commission implement whitelisting to prevent unauthorized software from\nrunning on the network.\n\nThe third and fourth controls would be implemented by effective management decisions that adopt the\nremaining six recommendations made in the OIG Audit of the Commission\xe2\x80\x99s Patching Process.\n\nHaving these four controls in place will allow the Commission to act on the November 18th, 2013, OMB\nmemorandum, Enhancing the Security of Federal Information and Information systems. (Attachment 3)\nThe purpose of this memorandum is to shift the focus of government security reviews from a static\n\xe2\x80\x9conce every three years\xe2\x80\x9d process to one that consistently assesses and fixes security issues. Specifically\nOMB wants agencies to focus attention on \xe2\x80\x9cwhat data and information are entering their networks, who\nis on their systems, and what components are on their information networks as well as when their\nstatus changes.\xe2\x80\x9d\n\nImplementing these OIG recommendations will help the USITC focus on the critical controls for\ninformation security. The process of automating these controls will go a long way toward building the\nprogram discussed in the FISMA report. Demonstrated effectiveness of these controls will provide you\nwith confidence that your information security program is built on a solid foundation.\n\n\n\n\nPhilip M. Heneghan\nInspector General, USITC\n\x0cList of Attachments:\n\nAttachment 1: DHS co-sponsored poster of 20 Critical Security Controls (SANS Institute)\n\nAttachment 2: OIG Report: Audit of Patch Management Process\n\nAttachment 3: Enhancing the Security of Federal Information and Information systems\n\x0c'